Content Management Forum

Announcement of a Denial of Service vulnerability potentially affecting default installations of WordPress versions 3.5 to 3.9, and default installations of Drupal versions 6.x to 7.x. Patches and upgrades available....

Major Security Vulnerability in WordPress, Drupal Could Take Down WebsitesAug 6, 2014[mashable.com...]

If your website runs on a self-hosted WordPress installation or on Drupal, update your software now.

Nir Goldshlager [breaksec.com], a security researcher from Salesforce.com's product security team, has discovered an XML vulnerability that impacts the popular website platforms WordPress and Drupal.

The vulnerability uses a well-known XML Quadratic Blowup Attack — and when executed, it can take down an entire website or server almost instantly....

Because of the potential vector size of this vulnerability, xxxx made sure to responsibly disclose the vulnerability to the WordPress and Drupal teams before sharing the results with the public.

Really? So these clever bunnies gave the CMS makers 5 minutes warning before advertising the exploit to the public?

How often do we see this and how absoluteley caring for attention to their self. I for one do not want to update my CMS versions, especially when they may be customized and/or require PHP and/or MYSQL versions not avilable on my server.

As for the potential of being exploited, if these prats did the right thing and informed the CMS makers only then it would be very unlikely for the vulnerability to ever be exploited!

I saw this report shortly after it came out, but the fixes were rolled out fast enough that I had actually updated critical sites before I got the Sucuri notice.

Wordpress used to always have it disabled by default, though the file addresses are widely known. A few version ago WP finally decided it was secure enough to enable it by default.

Kendo - in addition to blocking access to xmlrpc.php, the Drupal security notice says that on Drupal you should disable the OpenID module. Since almost nobody I know actually has it enabled, that's likely a moot point, but I thought I'd mention it.

In any case, not to diminish the threat of a DDOS attack, but it's not the same to me as what I would consider a true security threat that allows access to secure areas of the site or allows installing malware on the site.